SANS Digital Forensics and Incident Response Blog

This post is intended to generate discussion related to the professional development of a digital forensic professional based off discussion as to whether certifications are evil.

Why certify at all?

Certifications are not intended to ensure that someone is awesome at their job, but that they pass the minimal qualifications for someone in the field. Much like basic training teaches you the basics to fight in combat, but hardly makes you an Army Ranger.

For the sake of the profession, something similar to the bar or medical exams has to ensure that a basic set of knowledge exists for an entry level individual. CPAs, doctors, lawyers, all need to pass a test. However, the best professionals in those fields have the most experience. However, in order to even begin the first day in those professions, they have to prove that they at least know enough not to make a critical error on day 1.

I know many smart lawyers or doctors. However, none of them cannot do their jobs unless they passed their tests. Their IQ does not matter. You cannot fly a plane without passing tests. In fact, you cannot drive a car without a license. I know many people that can drive a car without it, but the test is geared to show you understand the basics of road safety and vehicle control.

That is the point of certification.

Professionalization for Digital Forensics

Unfortunately, licensing will be barreling down on our profession faster than you think for everyone in both information security and computer forensics. There are bills in congress as well as legislative actions that are taking place in many states.

Good certifications are needed as a counter to that. The organizational efforts of the CDFS are a part of that solution as well, but the states want educational/testable proof that someone doing the job has jumped through a couple of hoops so they are not snake oil salesmen.

For the profession overall to be recognized, certifications are needed. Personally, I respect many certifications. EnCE, CCE, the potential of the DFCA /DFCP , and the CFCE. Last year I sent out a Common Body of Knowledge to over 80 practioners, the CBK comment process outline which skills are needed and which skills are "nice to have." I received much feedback, but we need more people that we can reach out and involve in these discussions.

As a profession, we will need to become tested to perform our work. It is not a matter of "If", but "when".

Your call on how we should get that license. Leave it to biased industry groups such as the PI lobby or have digital forensic professionals (you and I) to decide together what the minimal qualifications are.

How many professions that have been around for a while do not have at least an entry-level test?

I personally am not advocating any specific certifications. There are many good ones out there that are recognized, but professionals should consider certifications in their profession of choice. Get certified to show we are a true profession.

Do we need to back only one certification now?

In my opinion no. If we back one too soon, creativity and ingenuity will begin to languish. We need the certifications to continue to evolve and become better. Competition will do that for us. However, having said that, I think all the certifications should understand that it is in our best interest to cross promote all the certifications. We are in this together, that is the mantra of the CDFS. For example, SANS , HTCIA, and ISFCE have routinely worked together. The SANS digital forensic courses are certified as CCE Bootcamps even though we offer a competing certification? Why? The CCE certification might be more useful in your specific industry such as Law Enforcement vs Information Security. We respect their certification objectives and as a friend in the industry.

The key is understanding that the current discussion is not "Which Certification?" The battle is "Should we certify at all?" This is why I am adamant about pushing individuals to certify in a respected certification. There are many I realize. Get certified that will help you in your specific career in Law Enforcement, Litigation Support, or Information Security.

We need your help

Help us decide what the qualifications are needed for a minimally qualified professional in digital forensics we do not think we have the best idea, but we need to come together and help professionalize digital forensics. Any additional ideas on how to foster professionalization in this community? Send comments back to me at rlee@sans.org and Ill share thoughts periodically.

Rob Lee is a Director for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.

Digitial Forensic

David Ellingsberg

Certs. We have enough people taking bootcamps on this and that. Getting a cert they never use, but they have a cert. Now 5 years later they beat out the hands on person because they have a cert but have never since done a hands on exercise. When you can get around this bug then bring on the certs.Ole.

Jerry

I feel that certification is necessary and has inter-organization bickering potential. I have been a designated appraiser, there are/were several major appraisal groups. Each granted a designation, each refused to recognize the others. Even though the requirements were the same. It boiled down to the best PR and ''good ol'boy network' being dominant. Sadly, a third-party injected its interests and rendered (IMHO) the designations moot. Otherwise it is a good concept and needs to establish the basis for future growth.

johnmccash

Rob,I suppose I understand your reluctance to use "certifications are evil" in the anchor text of your link, but I wish you hadn't misquoted me quite so vigorously. I never said certifications weren't useful. My point was that there are numerous problems with both their implementation and their use, and that in my opinion, these overshadow their benefits I also think these problems are endemic, and can't be reduced to what I consider an acceptable level without altering the concept of certification completely. In essence, certificatons attempt to balance the mutually incompatible interests of candidates, hiring managers, HR departments, and certification providers. Of these, the ones with the most control of the certification process are HR departments (which tend to determine, with input from the hiring managers, which certs are considered useful to have) and cert providers. As a consequence, the whole process benefits those participants to the detriment of the candidates.John

robtlee

John,Thanks for calling me out. Didn't mean to mis-quote ya. In fact, I do agree with many of your points and it brings up a very important topic into the headlines at least for a little bit. Thanks for that. I changed it to the exact title you used to avoid confusion. It was not my intent to change your meaning. Good discussion either way. ''"Rob

Vic

Hey Rob,I think that certifications are very important in the field we all work in and I agree with you on your point that they are definitely needed. As you said: you need licenses for everything (eg. hair cutting). We do have a great responsibility in front of courts. Because of our analyses and testimonies innocent people may go to jail or criminals might get acquitted. But certifications won't bother any lawyer or judge as long as there are no standarts. No lawyer can know all certificates nor the knowledge you have to have to pass those tests. There is a need for lets say 3 standart certifications that contents have to be made public. If anyone wants to qualify even more, he can study for a BSc or MSc (eg. MSc FCCI or MSc DI from UCD).VicPlease excuse my bad english as it is not my first language.

Michael Cloppert

This is a good discourse to have in the public domain. First, I'd like to thank John and Rob for facilitating this discussion, even though necessary, critical peer review can be (incorrectly) skewed as undermining the profession. Of course, we know nothing could be further from the truth, but sadly other public forums tend to stifle self-evaluation.In my 12 years in IT, and 8 in security, I've found that the only certifications that produce consistently reliable professionals are those which strictly require demonstrated application of knowledge. I was one of the ones screaming when SANS split certifications to Silver and Gold, because I felt it would cheapen the certification. I feared the many with Silver would not specify the level of their cert, and the public would only see "GCIA" for example. I still feel this way, and sadly, believe that this has played out over time.Application of knowledge is one thing that distinguishes the CCIE from the myriad other Cisco certifications, to give a slightly different example. While I'm sure they exist, I've never met an unqualified CCIE. I've met plenty of unqualified SANS cert holders. Because the distinction between applied knowledge and lack thereof is so difficult to see, of course, I have no idea whether these folks have gone through the practical ''" although I certainly doubt it.I do not put much weight in test-only certifications because anyone can memorize some stuff for a short period of time. If SANS wants to raise the bar, they need to make the difference between demonstrated applied knowledge and multiple-choice, test-only certifications unambiguous ''" especially for someone not in our industry like HR generalists, contract authors, proposal writers, and policymakers.-Mike

Joseph W Shaw II

I don't think any amount of certification is going to stop the licensing dilemma digital forensic professionals will be facing in the coming years. Several states, including mine, already require it, and more are jumping on that bandwagon due to the lobbying pressure being exerted by various PI groups in an effort to corner the market on lucrative digital forensics work in the private sector. Until digital forensics professionals and organizations start doing the same, we're going to be in for a bumpy ride, and many of you will find yourselves unable to legally practice your profession regardless of your qualifications. It happened to digital forensic examiners in Texas after the 2007 ''clarification' of the law, and it will happen again.

Larry Daniel

I am glad to see discussions going on in this area. While I know I make controversial posts on my blog from time to time, my intention is always to promote thought and discussion in different areas. Rob, keep up the good work!

Michael Dundas

I remember back when I was working as a system administrator for a pharmaceutical company. I was responsible for a bunch of Netware systems that contained adverse events databases and applications. We had a Novell CNE come in to assist us. I had about 5-6 years experience with Netware at the time. His knowledge was terrible ''" I could run circles around him on Netware, how it functioned the details etc. This was a big eye opener for me.Since then over the years, I have found the same with many certifications, SANS, Cisco, CISSP you name it. Sure, you have your ones that are good, but the number of bad ones is staggering to me. Your statement about needing base knowledge is nice, but unfortunately I don't think that will help.I have some certifications in BGP, protocol analysis, switching. I got them because the company forced me to in order to work with the products. They have been of no value to me, just a bunch of "letters" and a incremental count for the marketing departments on "the number of people certified on our system."Recently, I was told that I should really have a ''certification' in order to look at network traffic. I have been doing research and analysis on network traffic, attack patterns, botnets, protocol analysis for years as part of my daily activities. I have trained many companies on network analysis. Really, I need to be certified? If I need to I will, but I think it is silly. It ends up giving employers a false sense of security. They will take the guy who is certified with 3 years experience, over the individual that has 10 years experience and think they are better off ''" rarely is that the case in my experience.You comment on needing a drivers license, babysitters license, plumbing license etc. etc. Just because everyone does it, doesn't make it the right thing to do. Heck, I can get a firearm license without ever having to lay my eyes on a firearm, let alone use one. My father never had a firearm license, but I'd suggest you are safer with him working one than I (even if I had a license, which I do not) ''" he grew up using them regularly.Another ''problem' I have noticed with certifications are that overtime they get "watered down". One of the reasons this happens is that there becomes pressure to get large numbers certified due to multiple certifications and competition with other businesses and certification standards.My hope is that if there are certifications in forensics, they don't end up following the path of the multitude of other certifications. Don't do it. Use word of mouth, references, and experience to determine the best fit. If you must do it, Do it right, spend lots of money, time, and transparency determining the best solution and don't let business and politics get in the way.

Jason Jordaan

I have looked the the certification debate for some time, especially as certifications began to spring up all over the place in our field. While I agree with Rob that certifications can play an important role in demonstrating that a person has the minimum required knowledge to do a job, this is not actually the same as being able to do the job, and thus if we do consider certifications, they should demonstrate both knowledge and applied skills.A problem I have with certain certifications is that many of them are "business interests" created by businesses or business people with the purpose to make a profit. While this is no different to a university in a certain sense, there is generally some level of regulatory oversight. So if I wanted to, I could set up a business, and with some slick marketing create the next big thing in computer forensics, design a certification, and make money (not that I plan to before I get flamed into oblivion).What I think we need are certifications created by non-profit bodies (and the non-profit will limit the numbers of these I am sure), who are made up of the members of the body, and who self-regulate themselves and the certification. In other words, a self-regulating professional body, which could issue appropriate certifications, enforce a code of practice or conduct etc. I know there is some work being done in this regard, but as digital forensic practitioners who are passionate about our discipline, we need to do more.

David Blumrosen

So what is the minimum required skill that a person should have? Can we make a list of them? It will be quite hard since the digital world is evolving so quickly. Evolution in technology will make what is not necessary (since we don't know it exist now) today might become a minimum requirements a month from now. If so then how can we set a minimum standards?If a person with an A Cert tell us that he or she has a knowledge in 1, 2, 3 (which is the minimum requirement at the moment) then when technology 4 is invented then he or she will no longer has the minimum requirement as a certified person unless he or she also master 4. The problem is not every person knows that the should questioned A whether he or she has master 4 or not? Especially in courts.

"Rob has insight that few others have and that alone is worth the cost of the the course."- Chris Spurrier, Xerox Corp

"For my line of work, basic &amp;amp; extensive understanding of the file system is extremely important. The literature and books on file systems for me are very critical &amp;amp; thanks you for them, great reference material"- Vince Ramirez, Las Vegas Metro P.D.

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue